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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)1X1 Responsive to communication(s) filed on 31 October 2007 . 
2a)D This action is FINAL. 2b)E3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) £3 Claim(s) 1 and 3-33 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1 and 3-33 is/are rejected. 

7) Q Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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Response to Amendment 



1 . This is in response to the request for continued examination filed 1 0/3 1/2007. 

2. Applicant's arguments with respect to claims 1, and 3-33 have been considered but are 
moot in view of the new ground(s) of rejection. 



Quotations of U.S. Code Title 35 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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5. The claims and only the claims form the metes and bounds of the invention. "Office 
personnel are to give claims their broadest reasonable interpretation in light of the supporting 
disclosure. In re Morris, 127 F.3d 1048, 1054-55, 44 USPQ2d 1023, 1027-28 (Fed. Cir 1997). 
Limitations appearing in the specification but not recited in the claim are not read into the claim. 
In re Prater, 415 F.2d 1393, 1404-05, 162 USPQ541, 550-551 (CCPA 1969)" (MPEP p2100-8, c 
2, I 45-48; p 2100-9, c 1, I 1-4). The Examiner has full latitude to interpret each claim in the 
broadest reasonable sense. The Examiner will reference prior art using terminology familiar to 
one of ordinary skill in the art. Such an approach is broad in concept and can be either explicit or 
implicit in meaning. 

Claim Rejections - 35 USC § 103 

6. Claims 1, 5-7, 9, 10, 20, 23-25, and 27-29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 6,421,571 ("Spriggs") in view of U.S. Patent No. 5,539,906 
("Abraham"). 

Regarding claim 1 

Spriggs teaches "an automation security system, comprising: an asset component that defines an 
industrial automation device " (see C 3 L 20-24 "asset management system for protecting and 
managing industrial plant assets"); "an access component that defines a security attribute 
associated with the industrial automation device" (see C 14 L 20-39 and C 27 L 64 to C 28 L 1- 
2 "settings security based on each user associates with different instrumentations of the industrial 
plant"); "and a security component that regulates access to the industrial automation device 
based upon the security attribute " (see C 28 L 2-4 "a security manager module 222 regulates 
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access to the control and configuration of devices such as a portable system or an on-line system 
based upon security attribute of each user"). 

Spriggs does not specifically disclose the security attribute including a location attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 
Regarding claim 20 

Spriggs teaches "an automation security system, comprising: a server that manages a network 
interface between networked industrial automation devices and other devices attempting access 
to the networked industrial automation devices'" (see C 3 L 20-24 and L 31-57 "asset 
management system for protecting and managing industrial plant assets on a network"); "a 
security management module associated with the network interface that enforces an enterprise 
wide policy and that manages security threats directed to the networked industrial automation 
devices" (see C 14 L 20-39 and C 27 L 64 to C 28 L 1-4 "a security manager module 222 
enforces security settings for system 10. The security settings are based on each user to access 
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different instrumentations of the industrial plant such as a portable system or an on-line 

system"). 

Spriggs does not specifically disclose the enterprise wide policy including a location 
attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 
Regarding claim 24 

Spriggs teaches "an automation security methodology, comprising: electronically analyzing an 
industrial automation device" (see C 3 L 20-24 and L 31-57 "asset management system for 
protecting and managing industrial plant assets on a network"); "programmatically modeling the 
industrial automation device in accordance with network security considerations " (see C 6 L 55- 
61); "and automatically developing a security framework for an automation system based in part 
on the modeling of the industrial automation device and a network access type " (see C 14 L 20- 
39 and C 27 L 64 to C 28 L 1-4 "a security manager module 222 enforces security settings for 
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system 10. The security settings are based on each user to access different instrumentations of 
the industrial plant such as a portable system or an on-line system"). 

Spriggs does not specifically disclose the network considerations include a location 
attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 
Regarding claim 28 

Spriggs teaches "an automated security system for an automation control environment, 
comprising: means for defining one or more security attributes associated with at least one 
network request" (see C 3 L 20-24 and L 31-57 "asset management system for protecting and 
managing industrial plant assets on a network"); "means for processing the one or more security 
attributes" (see C 14 L 20-39 and C 27 L 64 to C 28 L 2 "settings security based on each user for 
accessing different instrumentations of the industrial plant"); "means for automatically 
determining which network devices require security resources" (see C 17 L 11-18); "means for 
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controlling access to at least one of a network device and an industrial automation component 
based in part on the one or more security attributes" (see C 28 L 2-4 "a security manager 
module 222 regulates access to the control and configuration of devices such as a portable 
system or an on-line system based upon security attribute of each user"). 

Spriggs does not specifically disclose the security attributes include a location attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security feature based on locations of Abraham with the teaching of 
Spriggs to provide an improve data security control for a data processing system. The claim 
would have been obvious is that a method of enhancing a particular class of devices (methods, or 
products) was made part of the ordinary capacities of one skilled in the art based upon the 
teaching of such improvement in other situations (KSR International Co. v. Teleflex Inc.). 
Regarding claim 29 

Spriggs teaches "a security schema for a factory automation system, comprising: a first data 
field that describes industrial automation devices" (see C 3 L 20-24 and L 31-57 "asset 
management system for protecting and managing industrial plant assets on a network"); "a 
second data field that describes security parameters for the industrial automation devices " (see 
C 14 L 20-39 and C 27 L 66 to C 28 L 1-2 "settings security based on each user for accessing 
different instrumentations of the industrial plant"); "and a schema that associates the first and 
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second data fields, the schema employed to limit access to the industrial automation devices 
based upon the security parameters " (see C 28 L 2-4 "a security manager module 222 regulates 
access to the control and configuration of devices such as a portable system or an on-line system 
based upon security attribute of each user"). 

Spriggs does not specifically disclose the security parameter including a location 
attribute. 

However, Abraham teaches granting security access to users based on status and 
locations of the users (e.g. col. 3 in particularly lines 17-25). 

Spriggs and Abraham are analogous art because they are in the same field of endeavor of 
controlling assets and security of industrial processes. 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time of the invention to incorporate the security feature based on locations of Abraham with the - 
teaching of Spriggs to provide an improve data security control for a data processing system. The 
claim would have been obvious is that a method of enhancing a particular class of devices 
(methods, or products) was made part of the ordinary capacities of one skilled in the art based 
upon the teaching of such improvement in other situations (KSR International Co. v. Teleflex 
Inc.). 

Regarding claim 5 

Spriggs teaches the asset component describes at least one of factory components and groupings, 
the factory components are at least one of sensors, actuators, controllers, I/O modules, 
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communications modules, and human-machine interface (HMI) devices (see C 3 L 45-52 and C 
7 L 2-5). 

Regarding claim 6 

Spriggs teaches the groupings include factory components that are grouped into at least one of 
machines, machines grouped into lines, and lines grouped into facilities (see C 3 L 53-57). 
Regarding claim 7 

Spriggs teaches the groupings have associated severity attributes such as at least one of risk and 
security incident cost (see C 4 L 31-37). 
Regarding claim 8 

Spriggs and Abraham do not specifically teach an ISA S95 Model for Enterprise to Control 
System integration to integrate security aspects across or within respective groupings. "Official 
Notice" is taken that both the concept and advantages of providing an ISA S95 Model for 
Enterprise to Control System integration to integrate security aspects across or within respective 
groupings is well known and expected in the art. U.S. Patent Application Publication No. 
2003/0014500 to Schleiss et al. discloses a preferred flow of communication between various 
process control and information technology systems are typically found within an enterprise 
defined by an ISA S95 model international standard (see paragraphs 7 and 8). It would have been 
obvious to one of ordinary skill in the art to include the ISA S95 model for Enterprise to Control 
system to Spriggs because it would provide for interacting between production or process control 
systems, enterprise resource planning systems and manufacturing execution systems to facilitate 
the integration of these systems. 
Regarding claim 9 
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Spriggs teaches a set of generic IT components and specifies parameters to assemble and 
configure the IT components to achieve flexible access to the industrial automation device (see C 
6 L 55-61). 
Regarding claim 10 

Spriggs teaches the IT components include at least one of switches with virtual local area 
network (VLAN) capability, routers with access list capability, firewalls, virtual private network 
(VPN) termination devices, intrusion detection systems, AAA servers, configuration tools, and 
monitoring tools (see C 7 L 26-44). 
Regarding claim 23 

Spriggs teaches at least one of: an authentication with the one or more servers to establish a 
secure link; a secure link to authenticate and authorize access to a requestor of the networked 
industrial automation device; and establishment of a secure session with the requestor if access is 
authorized (see C 3 L 45-52 and C 7 L 2-5). 
Regarding claim 25 

Spriggs teaches analyzing one or more security attributes to determine whether access should be 
granted to the one or more industrial automation assets (see C 3 L 20-25). 
Regarding claim 27 

Spriggs teaches at least one of: determining whether to grant access to the one or more 
automation assets; granting access from the industrial automation device; and granting access 
from the industrial automation device; and granting access from a network device associated 
with the industrial automation device (see C 27 L 65 to C 28 L 6). 
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7. Claims 3, 4, 1 1-19, 21, 22, 26, and 30-33 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Spriggs in view Abraham and further in view of U.S. Patent Application 
Publication No. 2004/0034774 ("Le Saint"). 
Regarding claims 3, 4, 26 and 30 

Spriggs does not specifically discuss the security component is based on at least one of a formal 
threat analysis, a vulnerability analysis, a factory topology mapping and an attack tree analysis; 
the security component is based on at least one of automation and process control security, 
cryptography, and Authentication/Authorization/Accounting (AAA). 

However, Le Saint teaches the security component is based on at least one of a formal 
threat analysis, a vulnerability analysis, a factory topology mapping and an attack tree analysis 
(see paragraph 48); the security component is based on at least one of automation and process 
control security, cryptography, and Authentication/Authorization/Accounting (AAA) (see 
paragraph 13). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security attributes and security component of Le Saint with the 
system of Spriggs because it would provide for the purpose of enforcing control aspect stated in 
the attributes including security policies and delegated privilege state. 
Regarding claims 11-22 and 31-33 

Spriggs does not specifically disclose security parameters and policies that are developed for 
physical and electronic security for various component types; at least one of security protection 
levels, identification entry capabilities, integrity algorithms, and privacy algorithms; the security 
component includes at least one of authentication software, virus detection, intrusion detection, 
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authorization software, attack detection, protocol checker, and encryption software; at least one 
of acts as an intermediary between an access system and one or more automation components, 
and facilitates communications between the access system and the one or more automation 
components; the security attributes are specified as part of a network request to gain access to the 
one or more factory assets, the security attributes included in at least one of a group, set, subset, 
and class; the security component employs at least one authentication procedure and an 
authorization procedure to process the network request; one or more security protocols including 
at least one of Internet Protocol Security (IPSec), Kerberos, Diffie-Hellman exchange, Internet 
Key Exchange (IKE), digital certificate, pre-shared key, and encrypted password, to process the 
network request; at least one of an access key and a security switch to control network access to 
a device or network; the access key further comprises at least one of time, location, batch, 
process, program, calendar, GPS (Global Positioning Information) to specify local and wireless 
network locations, to control access to the device or network; the security management module 
at least one of schedules audits, establishes a security policy, applies the policy from a single or 
distributed console, and generates reports that identify potential weaknesses in security; the 
security management module provides an interface to at least one of add, delete and modify 
security rights of an individual, a group, or a device and distribute security information to 
various controllers and control devices; a response schema to provide status to a requesting 
network device; the response schema including at least one of a status field, a time field, an 
access type field, an access location field, and a key field, an attachment field to indicate other 
security data follows the response schema. 
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However, Le Saint teaches security parameters and policies that are developed for 
physical and electronic security for various component types (see paragraph 50); at least one of 
security protection levels, identification entry capabilities, integrity algorithms, and privacy 
algorithms (see paragraph 50); the security component includes at least one of authentication 
software, virus detection, intrusion detection, authorization software, attack detection, protocol 
checker, and encryption software (see paragraph 52); at least one of the industrial automation 
devices acts as an intermediary between an access system and one or more automation 
components, and facilitates communications between the access system and the one or more 
automation components (see paragraph 52); the security attributes are specified as part of a 
network request to gain access to the one or more factory assets, the security attributes included 
in at least one of a group, set, subset, and class; the security component employs at least one 
authentication procedure and an authorization procedure to process the network request (see 
paragraph 57); one or more security protocols including at least one of Internet Protocol Security 
(IPSec), Kerberos, Diffie-Hellman exchange, Internet Key Exchange (IKE), digital certificate, 
pre-shared key, and encrypted password, to process the network request (see paragraph 54); 
at least one of an access key and a security switch to control network access to a device or 
network; the access key further comprises at least one of time, location, batch, process, program, 
calendar, GPS (Global Positioning Information) to specify local and wireless network locations, 
to control access to the device or network (see paragraph 57); the security management module 
at least one of schedules audits, establishes a security policy, applies the policy from a single or 
distributed console, and generates reports that identify potential weaknesses in security; the 
security management module provides an interface to at least one of add, delete and modify 
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security rights of an individual, a group, or a device and distribute security information to 
various controllers and control devices (see paragraph 60); a response schema to provide status 
to a requesting network device; the response schema including at least one of a status field, a 
time field, an access type field, an access location field, and a key field, an attachment field to 
indicate other security data follows the response schema (see paragraph 63). 

Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention to incorporate the security system of Le Saint with the system of Spriggs because it 
would provide for the purpose of enforcing control aspect stated in the attributes including 
security policies and delegated privilege state. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to examiner Thomas Pham; whose telephone number is (571) 272- 
3689, Monday - Friday from 7:30 AM - 4:00 PM EST or contact Supervisor Mr. David Vincent 
at (571) 272-3080. 

Any response to this office action should be mailed to: Commissioner for Patents, P.O. 
Box 1450, Alexandria VA 22313-1450. Responses may also be faxed to the official fax 
number (571) 273-8300. 

Thomas Pham 

Primary Examiner 
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